You're probably blocking DNS lookups; it will eventually time out. Try using the `-n' (numeric) flag to ipchains, which suppresses the lookup of names.
You must put the `!' option by itself, with spaces either side. A classic mistake (warned about in 1.3.10) is:
# ipchains -A input -i !eth0 -j DENY #
There will never be an interface called `!eth0', but ipchains doesn't know that.
Make sure that packet forwarding is enabled (in recent kernels it is disabled by default, meaning that packets never even try to traverse the `forward' chain). You can override this (as root) by typing
# echo 1 > /proc/sys/net/ipv4/ip_forward #
If this works for you, you can put this somewhere in your bootup scripts so it is enabled every time; you'll want to set up your firewalling before this command runs though, otherwise there's an opportunity for packets to slip through.
You must allow forwarding packets (see above) for redirect to work; otherwise the routing code drops the packet. So if you are just using redirect, and don't have any forwarding at all, you should be aware of that.
Note that REDIR (being in the input chain) doesn't effect connections from a local process.
There was a bug in versions 2.1.102 and 2.1.103 of the kernel (and some old patches I produced) which made ipchains commands which specified a wildcard interface (such as -i ppp+
) fail.
This is fixed in recent kernels, and in the 2.0.34 patch on the web site. You can also fix it by hand in the kernel source by changing line 63 or so in include/linux/ip_fw.h:
#define IP_FW_F_MASK 0x002F /* All possible flag bits mask */
This should read ``0x003F''. Fix this and recompile the kernel.
This was my mistake: setting the Type of Service field did not actually set the Type of Service in kernel versions 2.1.102 through 2.1.111. This problem was fixed in 2.1.112.
For 2.0.x, this is true; I haven't time to create and maintain a jumbo patch for ipchains and ipautofw/ipportfw.
For 2.1.x, download Juan Ciarlante's ipmasqadm from
<url url="http://juanjox.linuxhq.com/" name="http://juanjox.linuxhq.com/">and use it exactly as you would have used
ipautofw
or ipportfw
, except instead of ipportfw
you type ipmasqadm portfw
, and instead of ipautofw
you type ipmasqadm autofw
.
Upgrade to version 1.6.0 or above, which doesn't require any firewall rules at all for 2.1.x kernels. This seems to have broken again in the 1.6.1 release; please bug the author (it's not my fault!).
This was a bug in ipchains version 1.3.3. Please upgrade.
True (for 2.1.x kernels) up to 2.1.123. In 2.1.124, trying to set the masquerading timeouts causes a kernel lockup (change return
to ret =
on line 1328 of net/ipv4/ip_fw.c). In 2.1.125, it works fine.
So do a number of others, it seems. My code only covers IP, unfortunately. On the good side, all the hooks are there to firewall IPX! You just need to write the code; I will happily help where possible.